Trust Assessment
project-router received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 5 critical, 1 high, 0 medium, and 0 low severity. Key findings include Arbitrary command execution, Arbitrary Command Execution via project_target_run, Arbitrary File Write via project_plan_apply.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/safatinaztepe/project-router/scripts/project.js:20 | |
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/safatinaztepe/project-router/scripts/server.js:18 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/safatinaztepe/project-router/scripts/project.js:257 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/safatinaztepe/project-router/scripts/server.js:178 | |
| CRITICAL | Arbitrary Command Execution via project_target_run The skill exposes a `project_target_run` tool that executes commands defined in the project-local `.project/targets.json` file. The `scripts/project.js` uses `child_process.spawnSync` for command execution. If the skill is invoked within an untrusted project directory, an attacker can craft a malicious `targets.json` file containing arbitrary shell commands. When `project_target_run` is called, these commands will be executed with the permissions of the user running the skill, leading to arbitrary code execution. 1. **Input Validation & Sanitization**: Strictly validate and sanitize all commands loaded from `.project/targets.json` before execution. Avoid using `shell: true` with `spawnSync` for untrusted input. Prefer executing specific binaries with arguments passed as an array. 2. **Trust Boundary**: Treat all files within the `.project/` directory as untrusted input if the skill can operate on untrusted projects. 3. **User Confirmation**: Implement a mechanism to prompt the user for confirmation before executing any commands from `targets.json`, especially if they are not explicitly whitelisted. 4. **Least Privilege**: Ensure the skill and its executed commands run with the minimum necessary permissions. | LLM | scripts/project.js:12 | |
| HIGH | Arbitrary File Write via project_plan_apply The `project_plan_apply` tool allows applying a plan identified by a `planId`. The `applyPlan` function in `scripts/project.js` reads the plan from `.project/history/plans/<planId>.json`. This plan contains a `writes` array, where each entry specifies a `path` and `content`. If an attacker can place a malicious plan file in the `.project/history/plans/` directory (e.g., by creating an untrusted project containing such a file), they could then use `project_plan_apply` to write arbitrary content to arbitrary file paths on the filesystem by crafting `w.path` with path traversal sequences (e.g., `../../../../etc/malicious_file`). While the `defaultInitPlan` and `addArtifactPlan` functions generate safe paths, the `applyPlan` function itself does not validate the `w.path` from a loaded plan. 1. **Path Sanitization**: Implement strict validation and sanitization for the `w.path` field within the `applyPlan` function. Ensure that paths do not contain path traversal sequences (e.g., `..`) and are strictly confined to the intended `.project/` directory or other explicitly whitelisted subdirectories. 2. **Trust Boundary**: Treat all plan files within `.project/history/plans/` as potentially untrusted if the skill operates on untrusted projects. 3. **User Confirmation**: For any file write operations that could affect critical system files or locations outside the project's designated area, prompt the user for explicit confirmation. | LLM | scripts/project.js:146 |
Scan History
Embed Code
[](https://skillshield.io/report/932614e35a5ca7bf)
Powered by SkillShield